Security - Trust and Gossip

Transcript

1. Security: Trust and Gossip Loadays - 31/03/2012 @frank_be http://frank.be http://www.openminds.be/

2. Security improvements The future looks bright and secure, right?

3. Past few years: •IPv6 will have security built-in •DNSSEC will

   provide a more stable and secure DNS infrastructure •Secure BGP is the way ISPs will work •Telenet and Belgacom “homespots” are great

4. Guess what? They are all wrong!

5. First: disclaimer

6. This talk: •Provocative! •Meant to give you overview, not tech

   details •I am user / admin, not expert •Should make you think, not act •Just after lunch break
7. None

8. IPv6 and security

9. IPv6 myths •“Security built in” •means: “IPSec is part of

   the spec” •fact: not better than IPv4 + IPSec

10. but is it worse? •YES •Firewalling •deep (layer7) •statefull •basic:

    ACL •easy to implement in switch hardware!

11. Source IP, Destination IP and Source Port, Destination Port in

    fixed locations in packet Image: (c) cisco.com IPv4

12. IP Header of IPv6 is easier then IPv4 but ...

    Image: (c) tcpipguide.com IPv6: IP Header

13. Optional Extension Headers! Image: (c) tcpipguide.com IPv6 problem

14. Result: •Source port and destination port can be anywhere in

    IPv6 packet •ACLs can’t work fast •ASICs assume no extentions

15. Even worse ... •firewalls/routers don’t catch this! •they only inspect

    first X bytes of packet •craft IPv6 packet: port location > X •Example: Juniper •http://blog.ip.fi/2011/08/ipv6-acl-bypass.html

16. term my_smtp { from { destination-address 2001:db8::42/128; } then accept;

    term no_spam { from { next-header tcp; destination-port 25; } then discard; } term accept { then accept; }

17. IPv6 makes certain firewall rules useless (at worst) and slow

    (at best)

18. DNSSEC and stability

19. DNSSEC in 1 line “Makes DNS more secure by signing

    records using private/public keys”

20. More secure? Yes Less stable? Yes !!!

21. DNSSEC resolvers •Should not give reply to user if badly

    signed •Can lead to downtime of sites •nasa.gov: january 2012 •.UK, .FR, Ripe, Mozilla.org, various .gov, ...

22. Big problem: transfers •Without cooperation: resolution problems •Very complex, even

    when cooperation •Verisign whitepaper: 11 steps! •Without cooperation: impossible! •unless declaring zone “unsafe” for +/- 7d

23. Read More •Verisign whitepaper: • http://www.verisigninc.com/assets/whitepaper-dnssec- transfers.pdf •Proposal by DENIC:

    • http://tools.ietf.org/html/draft-koch-dnsop-dnssec-operator- change-03 •Shinkuro study: • http://ccnso.icann.org/node/9280

24. Secure BGP Securing the protocol that makes the internet work

    Most of this: Geoff Huston pres AusCert http://www.potaroo.net/presentations/2011-05-16-route-secure.pdf

25. BGP •Routing protocol: used by *all* ISPs •Based on “advertisements”

    •We, being network 30961, have a route to •prefixes 188.93.96.0/21, 88.151.240.0/21...

26. Problems •Based on Trust and Gossip •“The internet runs fine,

    right?” •But who checks if gossip is right? •Do you trust your neighbour? •Do you trust your neighbour’s neighbour? •Do you trust Pakistani or Saudi Telecom?

27. When the net breaks •February 2008: •Pakistan “filters” YouTube in

    an incorrect way •Breaks YouTube for everyone •Spammers “steal” some else’s space •More?

28. How many BGP “lies”? •About 400 on any given day!

    •Level3 •TATA •UUNet •Telstra •France Telecom

29. Why? •We are sloppy •and used to being sloppy •and

    used to everybody being sloppy •abuses are relatively infrequent •so we tolerate this state

30. Proposed solution •Routing Security, Secure BGP •PKI infrastructure •network numbers

    •and prefixes •Managed by RIPE, APNIC, ARIN, AfriNIC...

31. Problems •Filtering what your peers announce •Good •Doesn’t help to

    check further in the path •No PKI needed to do that now anyway

32. Problems ... •Full check on entire path •possible •slow •needs

    10GB of ram in each router •needs heaps and heaps of CPU power •no incremental rollout possible
33. None

34. We can’t ... We can’t make secure routing mechanisms cheaper,

    more robust, more effective than existing routing tools ... • We can make it more robust, but won’t be cheap • We can make it fast, but won’t be robust nor cheap • We can makt it cheap, but won’t be robust

35. Read More ... •Geoff Huston (chief scientist, APNIC) • http://www.potaroo.net/presentations/2011-05-16-route-

    secure.pdf • recording: http://risky.biz/AusCERT-routing-lies

36. Bonus: don’t use Telenet homespots

37. Can you tell me why?

38. Because you can’t be sure it’s a “homespot”

39. What prevents me ... •Taking Telenet homespot / Belgacom fon

    login page •Putting up a WiFi net with right SSID •Putting my fake page as captive portal •Stealing your logins •All your base belong to me!

40. But but but but ... •It’s SSL enabled, right? •Sure

    •But does your mom checks SSL? •Does your mom check url in browserbar? •Possible to put “looks ok” url in url-bar •with valid SSL cert •Possible to put real url, but without SSL

41. Fix? •Not easy. •Two ways: •Login other than web (eg

    sms text?) •Client apps •mobile clients: no problem •“real” computers: what to support? Admin Rights?

42. Presentation Conslusions

43. •Stuff that look good at first: •isn’t always good •isn’t

    solving problems you think they solve •IPv6 might be less secure than you think •DNSSEC will break things, hard! •Secure BGP is not a solution •Maybe you shouldn’t use Telenet Homespots

44. Thank you Slides will be on SpeakerDeck tomorrow